problem with keyword self
Volker
volker at vwsoft.com
Fri Jun 30 12:38:35 UTC 2006
On 2006-06-30, daniel at benzedrine.cx wrote:
> "self" always translates to IP addresses at load-time. To re-translate,
> you have to re-load the ruleset.
>
Daniel,
a while ago I was experiencing one thing where it can be dangerous
to make use of the 'self' keyword.
If you're setting up a DSL connection using mpd (I guess it's the
same with userland ppp, but have never tried that) the system has
got an unconfigured IP interface (xl0 or whatever), where
unconfigured means it's up but has an IP address of 0.0.0.0.
PPPoE is being done on the interface ng0 for example and this one
has an IP address if the connection is up.
Now if you're using a rule like 'pass in from any to self' (or
something similar) the rule is being translated into 'pass in from
0.0.0.0 to 0.0.0.0' which in turn means 'just pass all traffic
unconditionally' and you're having a great wide open firewall (in
fact, no firewall at all).
I know the example rule is not a real world rule but just image
you're having a rule like 'pass in from any to self port 80' to have
the http server being reachable. That would let pass traffic to
_any_ internal webserver. Sometimes admins are lazy and doing stupid
things like that and being not aware of the consequences of a
quickly hacked rule.
I'm wondering if you're able to check whether and interface has a
valid IP address or not before processing rules and skip
unconfigured interfaces (or at least do not let them being included
when it comes to 'self' rules). IMHO 'self' should never validate to
an IP address like 0.0.0.0.
Greetings,
Volker
More information about the freebsd-pf
mailing list